On Fri, Jun 01, 2018 at 02:46:40PM +0200, Peter Krempa wrote:
On Fri, Jun 01, 2018 at 13:32:20 +0100, Daniel Berrange wrote:
> On Fri, Jun 01, 2018 at 02:08:38PM +0200, Kashyap Chamarthy wrote:
> > Signed-off-by: Kashyap Chamarthy <kchamart(a)redhat.com>
> > ---
> > src/qemu/qemu.conf | 5 +++--
> > 1 file changed, 3 insertions(+), 2 deletions(-)
> >
> > diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> > index 31738ff19c..444247cf31 100644
> > --- a/src/qemu/qemu.conf
> > +++ b/src/qemu/qemu.conf
> > @@ -403,13 +403,14 @@
> > #
> > # user = "qemu" # A user named "qemu"
> > # user = "+0" # Super user (uid=0)
> > +# user = 'root' # The 'root' user
> > # user = "100" # A user named "100" or a user
with uid=100
> > #
> > -#user = "root"
> > +#user = "qemu"
> >
> > # The group for QEMU processes run by the system instance. It can be
> > # specified in a similar way to user.
> > -#group = "root"
> > +#group = "qemu"
> >
> > # Whether libvirt should dynamically change file ownership
> > # to match the configured user/group above. Defaults to 1.
>
> The reason the config file documents 'root' is because that is what
> configure defaults to. If you pass --with-qemu-user to configure,
> we don't update the config file example though, and perhaps we should.
>
> Alternatively should we make configure defualt to 'qemu' instead of
> 'root', since it is generally considered insane to run QEMU as root.
But user 'qemu' is not by default present on all systems. Even the
libvirt.spec file creates the account.
Yes, that's the reason configure defaults to 'root', but I really hate
the fact that we default to a config that no one should ever run in
practice.
We could check for existance of 'qemu' in configure and complain if
it is missing, but that's painful in itself as it is valid to build
on a host without the user, as long as it exists at runtime.
I tend to think we should just blindly use qemu/qemu by default and
document that creating these accounts is a requirement. Users will
quickly see if they're missing when they try to start a guest.
As a second thought, we generally use commented-out bits that are
the
non-default configuration. So this fits the pattern in the extent that
any sane distro specified it's own user/group using the configure
options and if for any reason the user wants to run this as root it's
done just by uncommenting it.
Most commented out bits are not a security flaw if uncommented though.
The fact that we show 'user=root' in the config file though puts across
the misleading idea that it is a reasonable thing todo, when in fact it
is a horribly insecure thing todo.
Regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|